Title: [274439] trunk/Source/WebKit
- Revision
- 274439
- Author
- pvol...@apple.com
- Date
- 2021-03-15 14:22:51 -0700 (Mon, 15 Mar 2021)
Log Message
Enforce subcommand filtering
https://bugs.webkit.org/show_bug.cgi?id=223192
<rdar://75434409>
Reviewed by Brent Fulgham.
Enforce subcommand filtering in the WebContent process' sandbox.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (274438 => 274439)
--- trunk/Source/WebKit/ChangeLog 2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/ChangeLog 2021-03-15 21:22:51 UTC (rev 274439)
@@ -1,3 +1,16 @@
+2021-03-15 Per Arne Vollan <pvol...@apple.com>
+
+ Enforce subcommand filtering
+ https://bugs.webkit.org/show_bug.cgi?id=223192
+ <rdar://75434409>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce subcommand filtering in the WebContent process' sandbox.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-03-15 Jer Noble <jer.no...@apple.com>
[Cocoa] Adopt AudioComponentApplyServerRegistrations()
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (274438 => 274439)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 21:22:51 UTC (rev 274439)
@@ -1317,7 +1317,7 @@
)
(when (defined? 'file-ioctl)
- (allow file-ioctl (with telemetry))
+ (deny file-ioctl (with telemetry))
;; restrict to the two ioctl's /dev/aes_0 needs
(allow file-ioctl (with telemetry)
(ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
@@ -1325,12 +1325,22 @@
)
(when (defined? 'socket-ioctl)
- (allow socket-ioctl (with telemetry))
+ (deny socket-ioctl (with telemetry))
)
(when (defined? 'system-fcntl)
- (allow system-fcntl (with telemetry))
+ (deny system-fcntl (with telemetry))
(allow system-fcntl
+ (fcntl-command F_BARRIERFSYNC)
+ (fcntl-command F_GETCONFINED)
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+ (fcntl-command F_GETLK)
+ (fcntl-command F_GETSIGSINFO)
+ (fcntl-command F_NOCACHE)
+ (fcntl-command F_OFD_GETLK)
+ (fcntl-command F_OFD_SETLKWTIMEOUT)
+ (fcntl-command F_RDADVISE)
+ (fcntl-command F_SETCONFINED)
(fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
(fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1337,10 +1347,12 @@
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
- (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+ (allow system-fcntl (with telemetry-backtrace)
+ (fcntl-command F_OFD_SETLK))
+
(allow system-fcntl
(fcntl-command F_GETPROTECTIONCLASS))
)
@@ -1347,14 +1359,15 @@
(when (defined? 'process-codesigning*)
;; csops/csops_audittoken
- (allow process-codesigning-status-set (with telemetry))
- (allow process-codesigning-text-offset-get (with telemetry))
- (allow process-codesigning-cdhash-get (with telemetry))
- (allow process-codesigning-blob-get (with telemetry))
- (allow process-codesigning-teamid-get (with telemetry))
- (allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
+ (deny process-codesigning-status-set (with telemetry))
+ (deny process-codesigning-text-offset-get (with telemetry))
+ (deny process-codesigning-cdhash-get (with telemetry))
+ (deny process-codesigning-blob-get (with telemetry))
+ (deny process-codesigning-teamid-get (with telemetry))
+ (allow process-codesigning-identity-get (target self)) ;; codeSigningIdentifierForCurrentProcess
(allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
(allow process-codesigning-status-get) ;; _xpc_get_entitlements
+ (allow process-codesigning-status-set (target self))
(deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
)
@@ -1364,7 +1377,7 @@
(when (defined? 'socket-option-get)
;; getsockopt
- (allow socket-option-get (with telemetry))
+ (deny socket-option-get (with telemetry))
(allow socket-option-get
(require-all
(socket-option-level SOL_SOCKET)
@@ -1373,7 +1386,7 @@
(when (defined? 'socket-option-set)
;; setsockopt
- (allow socket-option-set (with telemetry))
+ (deny socket-option-set (with telemetry))
)
(when (defined? 'mach-bootstrap)
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (274438 => 274439)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 21:22:51 UTC (rev 274439)
@@ -1543,16 +1543,27 @@
(fsctl-command (_IO "h" 47))) ;; See <rdar://74387453>
(when (defined? 'file-ioctl)
- (allow file-ioctl (with telemetry))
+ (deny file-ioctl (with telemetry))
+ (allow file-ioctl (literal "/dev/dtracehelper"))
)
(when (defined? 'socket-ioctl)
- (allow socket-ioctl (with telemetry))
+ (deny socket-ioctl (with telemetry))
)
(when (defined? 'system-fcntl)
- (allow system-fcntl (with telemetry))
+ (deny system-fcntl (with telemetry))
(allow system-fcntl
+ (fcntl-command F_BARRIERFSYNC)
+ (fcntl-command F_GETCONFINED)
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+ (fcntl-command F_GETLK)
+ (fcntl-command F_GETSIGSINFO)
+ (fcntl-command F_NOCACHE)
+ (fcntl-command F_OFD_GETLK)
+ (fcntl-command F_OFD_SETLKWTIMEOUT)
+ (fcntl-command F_RDADVISE)
+ (fcntl-command F_SETCONFINED)
(fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
(fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1559,13 +1570,14 @@
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
- (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_RDADVISE) ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
(fcntl-command F_NOCACHE) ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
-
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+ (allow system-fcntl (with telemetry-backtrace)
+ (fcntl-command F_OFD_SETLK))
+
(allow system-fcntl
(fcntl-command F_GETPROTECTIONCLASS))
)
@@ -1572,20 +1584,20 @@
(when (defined? 'process-codesigning*)
;; csops/csops_audittoken
- (allow process-codesigning-status-set (with telemetry))
- (allow process-codesigning-text-offset-get (with telemetry))
- (allow process-codesigning-cdhash-get (with telemetry))
- (allow process-codesigning-blob-get (with telemetry))
- (allow process-codesigning-teamid-get (with telemetry))
+ (deny process-codesigning-text-offset-get (with telemetry))
+ (deny process-codesigning-cdhash-get (with telemetry))
+ (deny process-codesigning-blob-get (with telemetry))
+ (deny process-codesigning-teamid-get (with telemetry))
(allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
(allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
(allow process-codesigning-status-get) ;; _xpc_get_entitlements
+ (allow process-codesigning-status-set (target self))
(deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
)
(when (defined? 'socket-option-get)
;; getsockopt
- (allow socket-option-get (with telemetry))
+ (deny socket-option-get (with telemetry))
(allow socket-option-get
(require-all
(socket-option-level SOL_SOCKET)
@@ -1594,7 +1606,7 @@
(when (defined? 'socket-option-set)
;; setsockopt
- (allow socket-option-set (with telemetry))
+ (deny socket-option-set (with telemetry))
)
(when (defined? 'syscall-unix)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes